On Mon, Jun 4, 2012 at 12:19 PM, Dirkjan Ochtman <firstname.lastname@example.org> wrote:
> So to prevent your scenario, we'd
> have to get everyone to check the signature of the tip of tree they
> pulled before committing/merging.
How can we be sure this has happened?
This is the problem with signed manifests today. I can sign a
manifest, but I didn't actually check all the files inside it, and the
file might or might not have been signed before I modified it, and
most likely I didn't even check the signature even if it was there.
Anything we do has to be automated to be of any real value. Ideally
if something goes wrong it should be as detectable as possible.
Warts and all the current system hasn't broken down yet. However, if
we ever did find out about an intrusion in our cvs repository, we'd
essentially have to do a 100% code review to be sure it was OK, and
that includes checking all tarballs on mirrors.
With signed commits we could verify that the tree was intact, and if
anything bad was found we could pinpoint exactly whose key was
compromised and do a focused check on their commits.